Suspicious Shells Spawn by Java Utility Keytool
Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
Sigma rule (View on GitHub)
1title: Suspicious Shells Spawn by Java Utility Keytool
2id: 90fb5e62-ca1f-4e22-b42e-cc521874c938
3status: test
4description: Detects suspicious shell spawn from Java utility keytool process (e.g. adselfservice plus exploitation)
5references:
6 - https://redcanary.com/blog/intelligence-insights-december-2021
7 - https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html
8author: Andreas Hunkeler (@Karneades)
9date: 2021-12-22
10modified: 2023-01-21
11tags:
12 - attack.initial-access
13 - attack.persistence
14 - attack.privilege-escalation
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\keytool.exe'
21 Image|endswith:
22 - '\cmd.exe'
23 - '\sh.exe'
24 - '\bash.exe'
25 - '\powershell.exe'
26 - '\pwsh.exe'
27 - '\schtasks.exe'
28 - '\certutil.exe'
29 - '\whoami.exe'
30 - '\bitsadmin.exe'
31 - '\wscript.exe'
32 - '\cscript.exe'
33 - '\scrcons.exe'
34 - '\regsvr32.exe'
35 - '\hh.exe'
36 - '\wmic.exe'
37 - '\mshta.exe'
38 - '\rundll32.exe'
39 - '\forfiles.exe'
40 - '\scriptrunner.exe'
41 - '\mftrace.exe'
42 - '\AppVLP.exe'
43 - '\systeminfo.exe'
44 - '\reg.exe'
45 - '\query.exe'
46 condition: selection
47falsepositives:
48 - Unknown
49level: high
References
-
Qbot climbs in threat rankings, Emotet is back, and an ADSelfService Plus RCE vulnerability likely increased detections involving webshells.
Read More -
During a penetration test we encountered the ManageEngine ADSelfService Plus (ADSS) solution.
Read More
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow
- Atypical Travel